当前位置:首页 > 开发 > Web前端 > 前端 > 正文

The X-Frame-Options response header

发表于: 2013-12-02   作者:sunjing   来源:转载   浏览次数:
摘要: https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options   The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a

https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options

 

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

Using X-Frame-Options

There are three possible values for X-Frame-Options:

DENY
The page cannot be displayed in a frame, regardless of the site attempting to do so.
SAMEORIGIN
The page can only be displayed in a frame on the same origin as the page itself.
ALLOW-FROM uri
The page can only be displayed in a frame on the specified origin.

In other words, if you specify DENY, not only will attempts to load the page in a frame fail when loaded from other sites, attempts to do so will fail when loaded from the same site. On the other hand, if you specify SAMEORIGIN, you can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.

Configuring Apache

To configure Apache to send the X-Frame-Options header for all pages, add this to your site's configuration:

Header always append X-Frame-Options SAMEORIGIN

Configuring nginx

To configure nginx to send the X-Frame-Options header, add this either to your http, server or location configuration:

add_header X-Frame-Options SAMEORIGIN;

Results

When an attempt is made to load content into a frame, and permission is denied by the X-Frame-Options header, Firefox currently renders about:blank into the frame. At some point, an error message of some kind will be displayed in the frame instead.

Browser compatibility

Feature Chrome Firefox (Gecko) Internet Explorer Opera

 Safari

Basic support 4.1.249.1042 3.6.9 (1.9.2.9) 8.0 10.5 4.0
ALLOW-FROM support Not supported 18.0 (18.0) bug 690168 8.0 Not supported WebKit bug 94836

The X-Frame-Options response header

  • 0

    开心

    开心

  • 0

    板砖

    板砖

  • 0

    感动

    感动

  • 0

    有用

    有用

  • 0

    疑问

    疑问

  • 0

    难过

    难过

  • 0

    无聊

    无聊

  • 0

    震惊

    震惊

编辑推荐
HTTP Request header 当今web程序的开发技术真是百家争鸣,ASP.NET, PHP, JSP,Perl, AJAX 等等。
HTTP协议采用了请求/响应模型,浏览器或其他客户端发出请求,服务器给与响应。就整个网络资源传输而
服务器启动 每一个servlet 创建一个对象 浏览器启动 每一个请求 创建 request response 对象 请求结
本章目标 掌握response的主要使用,及对应接口定义 可以使用response设置头信息 可以使用response进
HTTP协议详解 - 小坦克 - 博客园 HTTP Request header 当今web程序的开发技术真是百家争鸣,ASP.NET
test1.php <?PHP $g_user = "Jack"; echo $g_user; ?> test3.php <?PHP header('Location:
At the bggining,Sorry! I'm spanish an I don't speck english very well, but I want to try some
做了一段时间爬虫,发觉http header十分有用 比如一些防爬虫网站在没有header的情况下是不让访问的,
HTTP Request header 当今web程序的开发技术真是百家争鸣,ASP.NET, PHP, JSP,Perl, AJAX 等等。
--改动file header ------------------------------------------------------------------------- c
版权所有 IT知识库 CopyRight © 2009-2015 IT知识库 IT610.com , All Rights Reserved. 京ICP备09083238号